A note with CVSS 5.4 for component EPM-DSM-GEN was released by SAP on 08.12.2020. The correction/advisory 2971180 was described with "[CVE-2020-26828] Formula Injection in SAP Disclosure Management" and affects the system type SAP Disclosure Management.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is command injection within SAP Disclosure Management.
Risk specificationAn authenticated attacker could upload files to disclosure management containing scripts. The execution of such scripts could modify or read data available in a spreadsheet.
It is no longer possible to upload files containing a script
The advisory is valid for
- 9.9 [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
- 7.2 [CVE-2020-6192] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions)
- 7.2 [CVE-2020-6191] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6234] Privilege Escalation in SAP Host Agent